Overview

overview

10

Static

static

8

Internet-Win7-30min

windows7_x64

10

Analysis

  • max time kernel
    1790s
  • max time network
    1792s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    20-01-2021 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0120_91448090.doc

  • Size

    714KB

  • MD5

    838c2a21783dfaa3bda9813f0e32cf89

  • SHA1

    b4beab0f75d1462f3509b15319545c1f18c91449

  • SHA256

    f068b16458493f485c6fa0e77281126c6672c76a4cfa0beb195cf180894e674f

  • SHA512

    d1f3a3d923f54c2fdcce25933b9f7acf3efb538cdb732dd8a347ec27616ca5d977e4e03c4813a62042609cce6d3ae0933ca2872ebfd4f76eb2cd170c1dded116

Score
10/10
ransomware

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0120_91448090.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1624
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UninstallFont
        2⤵
        • Process spawned unexpected child process
        PID:1772

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1624-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1624-6-0x000007FEFC371000-0x000007FEFC373000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1772-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1772-8-0x0000000076641000-0x0000000076643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2008-2-0x0000000072CD1000-0x0000000072CD4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2008-3-0x0000000070751000-0x0000000070753000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2008-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2008-9-0x0000000000560000-0x0000000000561000-memory.dmp
      Filesize

      4KB

      Download